diff options
author | mandree <mandree@FreeBSD.org> | 2015-02-24 08:17:50 +0800 |
---|---|---|
committer | mandree <mandree@FreeBSD.org> | 2015-02-24 08:17:50 +0800 |
commit | a98fe2ee3f0e84936dd1d4f932088d1d081fda2a (patch) | |
tree | a48a13bb557892fcfdee25864672c72e098f1a11 | |
parent | 44966eca79ebb740b8feb3c2987e0d14b42b0fda (diff) | |
download | freebsd-ports-gnome-a98fe2ee3f0e84936dd1d4f932088d1d081fda2a.tar.gz freebsd-ports-gnome-a98fe2ee3f0e84936dd1d4f932088d1d081fda2a.tar.zst freebsd-ports-gnome-a98fe2ee3f0e84936dd1d4f932088d1d081fda2a.zip |
Cherry-pick a security fix and a few other fixes from the upstream Git
repository.
Note that CVE-2015-0247 had already been fixed in 1.42.12 proper.
Security: 2a4bcd7d-bbb8-11e4-903c-080027ef73ec
Security: CVE-2015-1572
8 files changed, 386 insertions, 1 deletions
diff --git a/sysutils/e2fsprogs/Makefile b/sysutils/e2fsprogs/Makefile index fbcbe22ad5cc..e85c774b37af 100644 --- a/sysutils/e2fsprogs/Makefile +++ b/sysutils/e2fsprogs/Makefile @@ -3,7 +3,7 @@ PORTNAME= e2fsprogs PORTVERSION= 1.42.12 -PORTREVISION?= 1 +PORTREVISION?= 2 CATEGORIES?= sysutils MASTER_SITES= KERNEL_ORG/linux/kernel/people/tytso/${PORTNAME}/v${PORTVERSION} diff --git a/sysutils/e2fsprogs/files/patch-zzz-160f131deed7d3db2aa958051eef7ae8fafa8539 b/sysutils/e2fsprogs/files/patch-zzz-160f131deed7d3db2aa958051eef7ae8fafa8539 new file mode 100644 index 000000000000..b72ca14118f8 --- /dev/null +++ b/sysutils/e2fsprogs/files/patch-zzz-160f131deed7d3db2aa958051eef7ae8fafa8539 @@ -0,0 +1,48 @@ +From 160f131deed7d3db2aa958051eef7ae8fafa8539 Mon Sep 17 00:00:00 2001 +From: Eric Sandeen <sandeen@redhat.com> +Date: Thu, 23 Oct 2014 16:27:32 -0500 +Subject: libext2fs: fix endian handling of ext3_extent_header + +This turned up when trying to resize a filesystem containing +a file with many extents on PPC64. + +Fix all locations where ext3_extent_header members aren't +handled in an endian-safe manner. + +Signed-off-by: Eric Sandeen <sandeen@redhat.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> + +diff --git a/lib/ext2fs/ext3_extents.h b/lib/ext2fs/ext3_extents.h +index 88fabc9..fcf4d86 100644 +--- ./lib/ext2fs/ext3_extents.h ++++ ./lib/ext2fs/ext3_extents.h +@@ -95,15 +95,20 @@ struct ext3_ext_path { + ((struct ext3_extent_idx *) (((char *) (__hdr__)) + \ + sizeof(struct ext3_extent_header))) + #define EXT_HAS_FREE_INDEX(__path__) \ +- ((__path__)->p_hdr->eh_entries < (__path__)->p_hdr->eh_max) ++ (ext2fs_le16_to_cpu((__path__)->p_hdr->eh_entries) < \ ++ ext2fs_le16_to_cpu((__path__)->p_hdr->eh_max)) + #define EXT_LAST_EXTENT(__hdr__) \ +- (EXT_FIRST_EXTENT((__hdr__)) + (__hdr__)->eh_entries - 1) ++ (EXT_FIRST_EXTENT((__hdr__)) + \ ++ ext2fs_le16_to_cpu((__hdr__)->eh_entries) - 1) + #define EXT_LAST_INDEX(__hdr__) \ +- (EXT_FIRST_INDEX((__hdr__)) + (__hdr__)->eh_entries - 1) ++ (EXT_FIRST_INDEX((__hdr__)) + \ ++ ext2fs_le16_to_cpu((__hdr__)->eh_entries) - 1) + #define EXT_MAX_EXTENT(__hdr__) \ +- (EXT_FIRST_EXTENT((__hdr__)) + (__hdr__)->eh_max - 1) ++ (EXT_FIRST_EXTENT((__hdr__)) + \ ++ ext2fs_le16_to_cpu((__hdr__)->eh_max) - 1) + #define EXT_MAX_INDEX(__hdr__) \ +- (EXT_FIRST_INDEX((__hdr__)) + (__hdr__)->eh_max - 1) ++ (EXT_FIRST_INDEX((__hdr__)) + \ ++ ext2fs_le16_to_cpu((__hdr__)->eh_max) - 1) + + #endif /* _LINUX_EXT3_EXTENTS */ + +-- +cgit v0.10.2 + diff --git a/sysutils/e2fsprogs/files/patch-zzz-407916f5af4443e0ddd9469c57fc1684c07f9294 b/sysutils/e2fsprogs/files/patch-zzz-407916f5af4443e0ddd9469c57fc1684c07f9294 new file mode 100644 index 000000000000..df9d83f1101d --- /dev/null +++ b/sysutils/e2fsprogs/files/patch-zzz-407916f5af4443e0ddd9469c57fc1684c07f9294 @@ -0,0 +1,32 @@ +From 407916f5af4443e0ddd9469c57fc1684c07f9294 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" <darrick.wong@oracle.com> +Date: Fri, 7 Nov 2014 21:27:53 -0500 +Subject: libext2fs: fix endian handling error; reduce fragmentation some + +If we're going to read the "nr - 1" entry in an indirect block for use +as a "goal" input to the block allocator, we need to byteswap the +entry. While we're at it, if we're allocating blocks for the zeroth +entry in the indirect block, we might as well use the indirect block +as the starting point to try to reduce fragmentation. + +(d_fallocate_blkmap will test this...) + +Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> + +diff --git a/lib/ext2fs/bmap.c b/lib/ext2fs/bmap.c +index db2fd72..a8bb00d 100644 +--- ./lib/ext2fs/bmap.c ++++ ./lib/ext2fs/bmap.c +@@ -67,7 +67,7 @@ static _BMAP_INLINE_ errcode_t block_ind_bmap(ext2_filsys fs, int flags, + #endif + + if (!b && (flags & BMAP_ALLOC)) { +- b = nr ? ((blk_t *) block_buf)[nr-1] : 0; ++ b = nr ? ext2fs_le32_to_cpu(((blk_t *)block_buf)[nr - 1]) : ind; + retval = ext2fs_alloc_block(fs, b, + block_buf + fs->blocksize, &b); + if (retval) +-- +cgit v0.10.2 + diff --git a/sysutils/e2fsprogs/files/patch-zzz-63b4cbb8bc8602d5dfe80413005142a7b59c25ef b/sysutils/e2fsprogs/files/patch-zzz-63b4cbb8bc8602d5dfe80413005142a7b59c25ef new file mode 100644 index 000000000000..61b55f2d9507 --- /dev/null +++ b/sysutils/e2fsprogs/files/patch-zzz-63b4cbb8bc8602d5dfe80413005142a7b59c25ef @@ -0,0 +1,128 @@ +From 63b4cbb8bc8602d5dfe80413005142a7b59c25ef Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" <darrick.wong@oracle.com> +Date: Tue, 2 Dec 2014 22:00:04 -0500 +Subject: misc: fix infinite loop when finding the start of the hugefile start + range + +When looking for the start of the hugefile range, the 'next' variable +is incorrectly decremented. If we happened to find a single free +block, the effect of this decrement is that blk == next, which means +that we never modify the loop control variable, so get_start_block +never returns. + +Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> + +diff --git a/misc/mk_hugefiles.c b/misc/mk_hugefiles.c +index 8291f01..5f56a79 100644 +--- ./misc/mk_hugefiles.c ++++ ./misc/mk_hugefiles.c +@@ -437,7 +437,6 @@ static blk64_t get_start_block(ext2_filsys fs, blk64_t slack) + blk, last_blk, &next); + if (retval) + next = last_blk; +- next--; + + if (next - blk > slack) { + blk += slack; +diff --git a/tests/m_hugefile_slack/expect b/tests/m_hugefile_slack/expect +new file mode 100644 +index 0000000..96a628a +--- /dev/null ++++ ./tests/m_hugefile_slack/expect +@@ -0,0 +1,18 @@ ++tune2fs test ++Creating filesystem with 786432 1k blocks and 98304 inodes ++Superblock backups stored on blocks: ++ 8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409, 663553 ++ ++Allocating group tables: done ++Writing inode tables: done ++Creating journal (16384 blocks): done ++Creating 6368 huge file(s) with 117 blocks each: done ++Writing superblocks and filesystem accounting information: done ++ ++Pass 1: Checking inodes, blocks, and sizes ++Pass 2: Checking directory structure ++Pass 3: Checking directory connectivity ++Pass 4: Checking reference counts ++Pass 5: Checking group summary information ++ ++Exit status is 0 +diff --git a/tests/m_hugefile_slack/name b/tests/m_hugefile_slack/name +new file mode 100644 +index 0000000..8d51fd6 +--- /dev/null ++++ ./tests/m_hugefile_slack/name +@@ -0,0 +1 @@ ++mke2fs creating a hugefile fs with a lot of slack +diff --git a/tests/m_hugefile_slack/script b/tests/m_hugefile_slack/script +new file mode 100644 +index 0000000..eecb2d7 +--- /dev/null ++++ ./tests/m_hugefile_slack/script +@@ -0,0 +1,61 @@ ++if test -x $RESIZE2FS_EXE -a -x $DEBUGFS_EXE; then ++ ++FSCK_OPT=-fn ++OUT=$test_name.log ++EXP=$test_dir/expect ++CONF=$TMPFILE.conf ++ ++#gzip -d < $EXP.gz > $EXP ++ ++cat > $CONF << ENDL ++[fs_types] ++ ext4h = { ++ features = has_journal,extent,huge_file,uninit_bg,dir_nlink,extra_isize,sparse_super,filetype,dir_index,ext_attr,^resize_inode,^meta_bg,^flex_bg,64bit ++ blocksize = 1024 ++ inode_size = 256 ++ make_hugefiles = true ++ hugefiles_dir = / ++ hugefiles_slack = 12000K ++ hugefiles_name = aaaaa ++ hugefiles_digits = 4 ++ hugefiles_size = 117K ++ zero_hugefiles = false ++ } ++ENDL ++ ++echo "tune2fs test" > $OUT ++ ++MKE2FS_CONFIG=$CONF $MKE2FS -F -T ext4h -I 128 $TMPFILE 786432 >> $OUT 2>&1 ++rm -rf $CONF ++ ++# dump and check. if we get this far, we succeeded... ++$FSCK $FSCK_OPT -N test_filesys $TMPFILE >> $OUT 2>&1 ++status=$? ++echo Exit status is $status >> $OUT ++ ++rm $TMPFILE ++ ++# ++# Do the verification ++# ++ ++sed -f $cmd_dir/filter.sed -e "s;$TMPFILE;test.img;" -e 's/test_filesys:.*//g' < $OUT > $OUT.new ++mv $OUT.new $OUT ++ ++cmp -s $OUT $EXP ++status=$? ++ ++if [ "$status" = 0 ] ; then ++ echo "$test_name: $test_description: ok" ++ touch $test_name.ok ++else ++ echo "$test_name: $test_description: failed" ++ diff $DIFF_OPTS $EXP $OUT > $test_name.failed ++fi ++ ++unset IMAGE FSCK_OPT OUT EXP CONF ++ ++else #if test -x $RESIZE2FS_EXE -a -x $DEBUGFS_EXE; then ++ echo "$test_name: $test_description: skipped" ++fi ++ +-- +cgit v0.10.2 + diff --git a/sysutils/e2fsprogs/files/patch-zzz-CVE-2015-1572-49d0fe2a14f2a23da2fe299643379b8c1d37df73 b/sysutils/e2fsprogs/files/patch-zzz-CVE-2015-1572-49d0fe2a14f2a23da2fe299643379b8c1d37df73 new file mode 100644 index 000000000000..38ca12cc40a5 --- /dev/null +++ b/sysutils/e2fsprogs/files/patch-zzz-CVE-2015-1572-49d0fe2a14f2a23da2fe299643379b8c1d37df73 @@ -0,0 +1,53 @@ +From 49d0fe2a14f2a23da2fe299643379b8c1d37df73 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Fri, 6 Feb 2015 12:46:39 -0500 +Subject: libext2fs: fix potential buffer overflow in closefs() + +The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if +s_first_meta_bg is too big" had a typo in the fix for +ext2fs_closefs(). In practice most of the security exposure was from +the openfs path, since this meant if there was a carefully crafted +file system, buffer overrun would be triggered when the file system was +opened. + +However, if corrupted file system didn't trip over some corruption +check, and then the file system was modified via tune2fs or debugfs, +such that the superblock was marked dirty and then written out via the +closefs() path, it's possible that the buffer overrun could be +triggered when the file system is closed. + +Also clear up a signed vs unsigned warning while we're at it. + +Thanks to Nick Kralevich <nnk@google.com> for asking me to look at +compiler warning in the code in question, which led me to notice the +bug in f66e6ce4446. + +Addresses: CVE-2015-1572 + +Signed-off-by: Theodore Ts'o <tytso@mit.edu> + +diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c +index 1f99113..ab5b2fb 100644 +--- ./lib/ext2fs/closefs.c ++++ ./lib/ext2fs/closefs.c +@@ -287,7 +287,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags) + dgrp_t j; + #endif + char *group_ptr; +- int old_desc_blocks; ++ blk64_t old_desc_blocks; + struct ext2fs_numeric_progress_struct progress; + + EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS); +@@ -346,7 +346,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags) + group_ptr = (char *) group_shadow; + if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) { + old_desc_blocks = fs->super->s_first_meta_bg; +- if (old_desc_blocks > fs->super->s_first_meta_bg) ++ if (old_desc_blocks > fs->desc_blocks) + old_desc_blocks = fs->desc_blocks; + } else + old_desc_blocks = fs->desc_blocks; +-- +cgit v0.10.2 + diff --git a/sysutils/e2fsprogs/files/patch-zzz-beec19ff21d41c84dbbc2ab8d0df25147912ff59 b/sysutils/e2fsprogs/files/patch-zzz-beec19ff21d41c84dbbc2ab8d0df25147912ff59 new file mode 100644 index 000000000000..7767e9b77647 --- /dev/null +++ b/sysutils/e2fsprogs/files/patch-zzz-beec19ff21d41c84dbbc2ab8d0df25147912ff59 @@ -0,0 +1,48 @@ +From beec19ff21d41c84dbbc2ab8d0df25147912ff59 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" <darrick.wong@oracle.com> +Date: Wed, 5 Nov 2014 11:14:26 -0500 +Subject: e2fsck: fix dangling pointer when dir_info array is resized + +e2fsck uses an array to store directory usage information during pass +3; the usage context also contains a pointer to the last directory +looked up. When expanding the dir_info array, this cache pointer +needs to be cleared if the array resize changed the pointer location, +or else we'll later walk off the end of this dead pointer. + +Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> +Reported-by: Sami Liedes <sami.liedes@iki.fi> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> + +diff --git a/e2fsck/dirinfo.c b/e2fsck/dirinfo.c +index 4a9019b..dab5a13 100644 +--- ./e2fsck/dirinfo.c ++++ ./e2fsck/dirinfo.c +@@ -121,7 +121,7 @@ static void setup_db(e2fsck_t ctx) + void e2fsck_add_dir_info(e2fsck_t ctx, ext2_ino_t ino, ext2_ino_t parent) + { + struct dir_info_db *db; +- struct dir_info *dir, ent; ++ struct dir_info *dir, ent, *old_array; + int i, j; + errcode_t retval; + unsigned long old_size; +@@ -136,6 +136,7 @@ void e2fsck_add_dir_info(e2fsck_t ctx, ext2_ino_t ino, ext2_ino_t parent) + if (ctx->dir_info->count >= ctx->dir_info->size) { + old_size = ctx->dir_info->size * sizeof(struct dir_info); + ctx->dir_info->size += 10; ++ old_array = ctx->dir_info->array; + retval = ext2fs_resize_mem(old_size, ctx->dir_info->size * + sizeof(struct dir_info), + &ctx->dir_info->array); +@@ -147,6 +148,8 @@ void e2fsck_add_dir_info(e2fsck_t ctx, ext2_ino_t ino, ext2_ino_t parent) + ctx->dir_info->size -= 10; + return; + } ++ if (old_array != ctx->dir_info->array) ++ ctx->dir_info->last_lookup = NULL; + } + + ent.ino = ino; +-- +cgit v0.10.2 + diff --git a/sysutils/e2fsprogs/files/patch-zzz-dab7435917698bb490cce61fc8be1be0a862cf66 b/sysutils/e2fsprogs/files/patch-zzz-dab7435917698bb490cce61fc8be1be0a862cf66 new file mode 100644 index 000000000000..bcbe22ee6de7 --- /dev/null +++ b/sysutils/e2fsprogs/files/patch-zzz-dab7435917698bb490cce61fc8be1be0a862cf66 @@ -0,0 +1,31 @@ +From dab7435917698bb490cce61fc8be1be0a862cf66 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" <darrick.wong@oracle.com> +Date: Sat, 25 Oct 2014 13:56:42 -0700 +Subject: libext2fs: directory iteration mustn't walk off the buffer end + +When we're iterating a directory, the loop control code reads the +length of the next directory record, failing to account for the fact +that there must be at least 8 bytes (the minimum size of a directory +entry) left in the buffer to read the next directory record. Fix the +loop conditional so that we don't read off the end of the buffer. + +Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> +Reported-by: Sami Liedes <sami.liedes@iki.fi> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> + +diff --git a/lib/ext2fs/dir_iterate.c b/lib/ext2fs/dir_iterate.c +index 589af69..0744ee8 100644 +--- ./lib/ext2fs/dir_iterate.c ++++ ./lib/ext2fs/dir_iterate.c +@@ -202,7 +202,7 @@ int ext2fs_process_dir_block(ext2_filsys fs, + if (ctx->errcode) + return BLOCK_ABORT; + +- while (offset < fs->blocksize) { ++ while (offset < fs->blocksize - 8) { + dirent = (struct ext2_dir_entry *) (ctx->buf + offset); + if (ext2fs_get_rec_len(fs, dirent, &rec_len)) + return BLOCK_ABORT; +-- +cgit v0.10.2 + diff --git a/sysutils/e2fsprogs/files/patch-zzz-e9a5c6e3607d17641543aa5e801af22563fb1410 b/sysutils/e2fsprogs/files/patch-zzz-e9a5c6e3607d17641543aa5e801af22563fb1410 new file mode 100644 index 000000000000..57c1881c774d --- /dev/null +++ b/sysutils/e2fsprogs/files/patch-zzz-e9a5c6e3607d17641543aa5e801af22563fb1410 @@ -0,0 +1,45 @@ +From e9a5c6e3607d17641543aa5e801af22563fb1410 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Thu, 11 Sep 2014 12:24:07 -0400 +Subject: e2fsck: notice when the realloc of dir_info fails + +If the reallocation of dir_info fails, we will eventually cause e2fsck +to fail with an internal error. So if the realloc fails, print a +message and bail out with a fatal error early when at the time of the +reallocation failure. + +Signed-off-by: Theodore Ts'o <tytso@mit.edu> + +diff --git a/e2fsck/dirinfo.c b/e2fsck/dirinfo.c +index dbaf471..4a9019b 100644 +--- ./e2fsck/dirinfo.c ++++ ./e2fsck/dirinfo.c +@@ -140,6 +140,10 @@ void e2fsck_add_dir_info(e2fsck_t ctx, ext2_ino_t ino, ext2_ino_t parent) + sizeof(struct dir_info), + &ctx->dir_info->array); + if (retval) { ++ fprintf(stderr, "Couldn't reallocate dir_info " ++ "structure to %d entries\n", ++ ctx->dir_info->size); ++ fatal_error(ctx, 0); + ctx->dir_info->size -= 10; + return; + } +diff --git a/e2fsck/dx_dirinfo.c b/e2fsck/dx_dirinfo.c +index 7838a40..be53fff 100644 +--- ./e2fsck/dx_dirinfo.c ++++ ./e2fsck/dx_dirinfo.c +@@ -40,6 +40,10 @@ void e2fsck_add_dx_dir(e2fsck_t ctx, ext2_ino_t ino, int num_blocks) + sizeof(struct dx_dir_info), + &ctx->dx_dir_info); + if (retval) { ++ fprintf(stderr, "Couldn't reallocate dx_dir_info " ++ "structure to %d entries\n", ++ ctx->dx_dir_info_size); ++ fatal_error(ctx, 0); + ctx->dx_dir_info_size -= 10; + return; + } +-- +cgit v0.10.2 + |